Enterprises with computer networks have a need to monitor network usage for a variety of reasons including policy compliance, reporting, threat detection, determining efficiencies, and the like. Security Information and Event Management (SIEM) systems and methods refer to a combination of the formerly disparate product categories of SIM (security information management) and SEM (security event management). Conventional SIEM systems and methods provide real-time analysis of security alerts generated by network hardware and applications. SIEM solutions come as software, appliances, or managed services, and are also used to log security data and generate reports for compliance purposes. The acronyms SEM, SIM and SIEM have been used interchangeably, though there are differences in meaning and product capabilities. The segment of security management that deals with real-time monitoring, correlation of events, notifications and console views is commonly known as Security Event Management (SEM). The second area provides long-term storage, analysis and reporting of log data and is known as Security Information Management (SIM). The term Security Information Event Management (SIEM) describes the product capabilities of gathering, analyzing and presenting information from network and security devices; identity and access management applications; vulnerability management and policy compliance tools; operating system, database and application logs; and external threat data. A key focus is to monitor and help manage user and service privileges, directory services and other system configuration changes; as well as providing log auditing and review and incident response.
An important aspect of conventional SIEM systems and methods is they are located within an enterprise's network, e.g. behind a firewall or the like. With the emergence of the cloud, there is a need to provide functionality of conventional SIEM systems and methods with cloud-based services.